registry  /  @op0ai/cli  /  0.2.0

@op0ai/cli@0.2.0

The op0 CLI — your account, cloud, and workbench for op0.ai (the governed runtime for agent work). op0 login · deploy · connect · make · list · status · logs · pull · eject · dev · push · wire · pair. Proprietary — free to use WITH the op0 runtime.

AI Security Review

scanned 36m ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an op0 CLI that performs documented, user-invoked network operations and optional transcript pairing with redaction.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs op0 commands such as login, deploy, pull, push, dev, or pair
Impact
User-authorized op0 workflow actions; no install-time mutation or hidden exfiltration found
Mechanism
documented CLI network/control-plane operations
Rationale
Static inspection found suspicious primitives, but they are aligned with a documented CLI and activated by explicit user commands rather than lifecycle/import-time behavior. The Claude transcript pairing feature is visible, redacted by default, and does not install hooks or mutate AI-agent settings in this version.
Evidence
package.jsonbin/op0.mjsbin/pair.mjslib/core.mjslib/pair-core.mjsREADME.md
Network endpoints9
console.op0.ai/api/device/startconsole.op0.ai/api/device/pollapi.op0.dev/factory/temporaryapi.op0.dev/factory/makeapi.op0.dev/factory/make-statusapi.op0.dev/factory/pushapi.op0.dev/factory/sessions/ingestevlog.usectx.com/eventsmcp.usectx.com/mcp

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle scripts; only bin op0 -> bin/op0.mjs
    • bin/op0.mjs network calls are user-invoked op0 commands to op0/usectx hosts, not import/install-time execution
    • bin/op0.mjs child_process use is limited to user-invoked eject git init and dev npx wrangler dev
    • bin/pair.mjs tails Claude transcript only when user runs op0 pair; --install-hooks explicitly prints a stub and writes nothing
    • lib/pair-core.mjs redacts common secrets, denies .env/secrets path payloads, hashes tool inputs/results, and caps payload size
    • No eval/vm/dynamic require/native binary loading or credential harvesting beyond documented login/session config
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 4 file(s), 64.8 KB of source, external domains: api.op0.dev, console.op0.ai, evlog.usectx.com, mcp.usectx.com, op0.ai

    Source & flagged code

    4 flagged · loading source
    bin/op0.mjsView file
    matchType = previous_version_dangerous_delta matchedPackage = @op0ai/cli@0.1.3 matchedIdentity = npm:QG9wMGFpL2NsaQ:0.1.3 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    bin/op0.mjsView on unpkg
    13import { homedir } from "node:os"; L14: import { execSync, spawnSync } from "node:child_process"; L15: import * as p from "@clack/prompts";
    High
    Child Process

    Package source references child process execution.

    bin/op0.mjsView on unpkg · L13
    13import { homedir } from "node:os"; L14: import { execSync, spawnSync } from "node:child_process"; L15: import * as p from "@clack/prompts"; ... L18: // ── the op0 session (the device-flow key lives here; the workbench rides it via loadSession) ── L19: const CONSOLE = process.env.OP0_CONSOLE ?? "https://console.op0.ai"; L20: const FACTORY_DEFAULT = process.env.OP0_FACTORY ?? "https://api.op0.dev";
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    bin/op0.mjsView on unpkg · L13
    374console.log(`\nstarting wrangler dev in ${dir}/ (local only; ship with 'op0 make ${name}' or 'op0 push')`); L375: const r = spawnSync("npx", ["wrangler", "dev"], { cwd: dir, stdio: "inherit" }); L376: process.exit(r.status ?? 0);
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    bin/op0.mjsView on unpkg · L374

    Findings

    1 Critical4 High3 Medium5 Low
    CriticalPrevious Version Dangerous Deltabin/op0.mjs
    HighChild Processbin/op0.mjs
    HighShell
    HighSame File Env Network Executionbin/op0.mjs
    HighRuntime Package Installbin/op0.mjs
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License